express-mongo-sanitize

Express 4.x middleware to sanitize user-supplied data (req.body, req.query, req.params, req.headers) by stripping or replacing MongoDB operator injection characters ($ and .). This package is widely used to prevent NoSQL injection attacks, particularly the $where operator. Version 2.2.0 is stable, typed (TypeScript declarations included), and supports both CommonJS and ESM via Node >=10. Key differentiators: simple drop-in middleware, configurable replaceWith character, allowDots option for nested queries, onSanitize callback, and dry run mode. Alternatives like mongo-sanitize are lower-level; express-mongo-sanitize integrates directly with Express.